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^ (57) Abstract: A method (44), and an associated apparatus, is provided for exchanging security keys between mobile terminals (12, 
14) operable in a GSM cellular, or other, communication system (10). When implemented in a GSM cellular communication system 

O (10), SIM-card (34, 36) information is utilized in the generation of the keys which are exchanged between the mobile terminals (12, 
14) and thereafter are utilized to secure data which is to be transmitted between the mobile terminals (12, 14) during a communication 

^ session. 
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METHOD, AND ASSOCIATED 
SECURITY KEYS IN A 



1 

APPARATUS, FOR GENERATING 
COMMUNICATION SYSTEM 



The present invention relates generally to the 
5 communication of data, such as IP (Internet Protocol) - 
formatted data, in a communication system, such as a 
GSM (Global System for Mobile communications) cellular 
communication system. More particularly, the present 
invention relates to a method, and associated 
10 apparatus, by which to perform security key generation 
pursuant to the IPsec (Security Architecture for 
Internet Protocol) to facilitate secured 
communications of packet data between two 
communication stations, such as two mobile terminals 
15 operable in the GSM communication system. 

When implemented in a GSM communication system, 
advantageous use is made of the security algorithms 
and procedures stored at a SIM (Subscriber Identity 
Module) -card positioned at the mobile terminals. 

20 BACKGROUND OF THE INVENTION 

The use of wireless communication systems has 
achieved wide popularity in recent years as a result 
of advancements in communication technologies. Multi- 
user, wireless communication systems of improved 

25 capabilities are regularly utilized by large numbers 
of consumers to communicate both voice and nonvoice 
information . 

In a wireless communication system, a 
communication channel formed between a sending station 

30 and a receiving station is a radio channel defined 
upon a portion of the electromagnetic spectrum. 
Because a radio channel forms a communication link 
between the sending and receiving stations, a wireline 
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connection is not required to be formed between the 
sending and receiving stations to permit the 
communication of data between the stations. 
Communication by way of a wireless communication 
5 system is thereby permitted at, and between, locations 
at which the formation of a wireline connection would 
not be practical. Also, because a communication 
channel is formed of a radio channel, a radio 
communication system can be more economically 
10 installed as the infrastructure costs associated with 
a wireline communication system are significantly 
reduced . 

A cellular communication system is exemplary of a 
wireless, multi-user radio communication system which 

15 has achieved wide levels of usage and which has been 
made possible due to advancements in communication 
technologies. A cellular communication system is 
typically formed of a plurality of fixed-site base 
stations installed throughout a geographical area 

20 which are coupled to a PSTN (Public-Switched, 

Telephonic Network) . Portable transceivers, typically 
referred to as mobile stations, or mobile terminals, 
communicate with the base stations by way of radio 
links .. 

25 A cellular communication system efficiently 

utilizes the portion of the electromagnetic spectrum 
allocated thereto. Because of the spaced-apart 
positioning of the base stations, only relatively low- 
power signals are required to effectuate 

30 communications between a base station and a mobile 
station. As a result, the same frequencies can be 
reused at different locations throughout the 
geographical area. Thereby, communications can be 
effectuated between more than one set of sending and 
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receiving stations concurrently at separate locations 
throughout the area encompassed by the cellular 
communication system. 

Digital communication techniques are also 
5 utilized in many cellular, as well other types of, 
communication systems. Utilization of digital 
communication techniques, for instance, permits the 
increase of communication capacity and, also as a 
result thereof, have permitted the introduction of new 

10 types of communication services. Digital 

communication techniques have facilitated improvements 
in the maintenance of security in communications 
effectuated during operation of such communication 
systems. Various measures have been taken with 

15 respect to security issues, of significance 

particularly in radio communication systems. For 
instance, procedures are set forth to ensure that 
access is granted to mobile terminals to communicate 
by way of the communication system only subsequent to 

20 their authentication as being authorized to 

communicate therethrough. In GSM communication 
systems, an authentication procedure is set forth in 
which ciphering keys are utilized in a public/private 
ciphering scheme to perform the authentication 

25 procedures. A storage element, referred to as a SIM 
(Subscriber Identity Module) card contains the 
necessary information to perform the authentication 
procedures. Also, data encryption, prior to its 
communication upon a communication channel, and 

30 corresponding de-encryption once received at another 
communication station is provided for in GSM 
communication systems. Information stored at the SIM- 
card is also utilized for encrypting data. 
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In digital communication systems, increasingly, 
communication is effectuated through the communication 
of packets of data, such as packets of data formatted 
pursuant to a TCP/IP (Transport Control 
5 Protocol/Internet Protocol) protocol. While security 
procedures for IP-formatted data have been set forth, 
such existing procedures do not well make use of the 
information stored on the SIM cards of mobile 
terminals operable in a GSM communication system. 

10 Conventionally, public key encryption, such as PGP 
(Pretty Good Privacy) encryption, and the use of a 
certification authority (CA) have more generally been 
utilized. Such existing procedures, while utilizing a 
relatively simple key exchange, suffers from the 

15 drawback that delivery of a public key to the 

certification authority is difficult. For instance, 
the extent to which the certification authority is 
able to trust a public key delivered thereto belongs 
to the participant. 

20 If a manner could be provided by which to utilize 

the information already stored at a SIM card in an 
IPsec key exchange, improved security procedures would 
be possible. 

It is in light of this background information 

25 related to the security architecture for Internet 
protocol that the significant improvements of the 
present invention have evolved. 

SUMMARY OF THE INVENTION 
The present invention, accordingly, 
30 advantageously provides a method, and associated 

apparatus, by which to perform security key generation 
in a communication system, such as a GSM (Global 
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System for Mobile communications) , or other, cellular 
communication system. 

Through operation of an embodiment of the present 
invention, a key exchange protocol is utilized which 
5 removes a so-called man in the middle attack to the 
protocol. All messages are operated through an 
entity. In an implementation in which IP data is to 
be communicated between two mobile terminals operable 
in a communication system, messages are routed through 

10 an operator, or operators, of the GSM authentication, 
or other, communication system. 

Thereby, secured communication of packet between 
two mobile terminals operable with the GSM, or other, 
communication system is facilitated. When implemented 

15 in a communication system, advantageous use is made of 
the security algorithms and other information stored 
at a SIM (Subscriber Identity Module) -card positioned 
at the mobile terminal to generate the security keys. 
Analogously, the corresponding information stored at 

20 the network infrastructure of the GSM communication 
system is also advantageously used to facilitate such 
generation of the security keys. 

In one implementation, a manner is provided by 
which to exchange security keys between two mobile 

25 terminals operable in a GSM cellular, or other, 
communication system in which both of the mobile 
terminals communicate with the same operator. In such 
an implementation, the single operator personalizes 
the information stored at the mobile terminal and also 

30 stores the information at the operator. Thereby, 
secured key exchanges are effectuable between the 
first mobile terminal and the operator and between the 
operator and the second mobile terminal . Subsequent 
to such exchange of keys, i.e., in which the messages 
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communicated between the mobile terminals and the 
operator are signed and/or encrypted by ciphering 
keys, secured data communication is possible between 
the two mobile terminals. Secured data transmission 
5 is effectuated by encrypting the data to be 

communicated therebetween by a secret key generated 
pursuant to the key exchange effectuated by way of the 
operator . 

In the implementation in which the communication 

10 system is formed of a GSM cellular communication 

system, the mobile terminals include SIM-cards which 
contain information personalized by the operator of 
the GSM system. Authentication algorithms as well as 
a ciphering key and the identity of the mobile 

15 terminal are stored at the SIM-card. Such information 
is utilized to generate a pseudo random number, a 
first ciphering key, and the identity of the second 
mobile terminal to which IP-formatted data is to be 
communicated. Such information is forwarded to the 

20 operator which performs analogous operations and also 
determines the identity of the second mobile terminal 
to which the IP-formatted data is ultimately to be 
communicated in a communication session between the 
first and second mobile terminals. The operator 

25 generates a second ciphering key together with a 
second pseudo random number and forwards such 
information together with the identity of the first 
mobile terminal to the second mobile terminal. The 
second mobile terminal detects the transmitted 

30 information and generates a new secret key to be used 
for data transmission between the first and second 
mobile terminals. The second mobile terminal also 
determines the identity of the first mobile terminal 
responsive to the message sent thereto by the 
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operable at least to communicate packet data. 
Security keys are generated for use to secure the 
packet data communicated between the first 
communication station and the second communication 
5 station. A first ciphering key is generated at the 
first communication station. The first ciphering key 
is then forwarded to the network infrastructure 
together with indicia identifying the second 
communication station. A message is thereafter routed 

10 to the second communication station. And, secret 
keying material to be exchanged between the first 
communication station and the second communication 
station is generated. 

A more complete appreciation of the present 

15 invention and the scope thereof can be obtained from 
the accompanying drawings which are briefly summarized 
below, the following detailed description of the 
presently-preferred embodiments of the invention, and 
the appended claims. 

20 BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 illustrates a functional block diagram 
of a radio communication system in which an embodiment 
of the present invention is operable. 

Figures 2A-2B illustrate a message sequence 

25 diagram listing the sequence of operation of an 
embodiment of the present invention to exchange 
security keys to facilitate the transmission of 
secured data between the first and second mobile 
terminal shown in Figure 1. 

30 Figures 3A-3B illustrate another message sequence 

diagram, also illustrating the sequencing of messages 
generated during operation of another embodiment of 
the present invention. 
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Figures 4A-4B also illustrates a message sequence 
diagram, also illustrating the sequencing of messaging 
generated during operation of another embodiment of 
the present invention. 
5 Figure 5 illustrates a message sequence diagram 

illustrating in greater detail portions of the 
sequences shown in Figures 3A-B and 4A-B. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 
Referring first to Figure 1, a communication 
10 system, shown generally at 10, is operable to provide 
for radio communications with mobile terminals, of 
which a first mobile terminal 12 and a second mobile 
terminal 14 are exemplary. In the exemplary 
implementation, the communication system 10 forms a 
15 GSM (Global System for Mobile communications) cellular 
communication system operable pursuant to an 
appropriate standard. While the present invention 
shall be described with respect to an exemplary 
implementation in a GSM communication system, 
20 operation of an embodiment of the present invention is 
analogously operable and such operation can be 
analogously described. 

The mobile terminal 12 is operable to transceive 
communication signals by way of radio link 16 with the 
25 network infrastructure 18 of the communication system. 
Similarly, the mobile terminal 14 is operable to 
transceive communication signals by way of the radio 
link 22 with the network infrastructure 18. The 
mobile terminal 12 is, for example, able to 
30 communicate with the mobile terminal 12 by way of a 
communication path which includes the radio links 16 
and 22 and portions of the network infrastructure 18. 
Each of the mobile terminals 12 and 14 is also capable 



WO 01/69838 



PCT/IB01/00346 



10 

of communicating with other communication stations 
(not shown) , such as a communication station coupled 
to a PSTN (Public-Switched, Telephonic Network) . 

A first operator, operator a, 26, and a second 
5 operator, operator f, 28, are also shown to form a 
portion of the communication system. The operators a 
and f are coupled to the radio network infrastructure 
18 to form a portion thereof. In conventional manner, 
the operators control operation of portions of the 

10 communication system. 

In the exemplary implementation in which the 
communication system forms a GSM cellular 
communication system, the mobile terminal 12 includes, 
in addition to transceiver circuitry 32, a SIM 

15 (Subscriber Identity Module) -card 34. The SIM-card is 
conventional of a GSM SIM-card, typically removable 
from the mobile terminal. The SIM-card includes, for 
instance, a unique identifier, IDb which identifies 
the SIM-card and, hence, the mobile terminal 12 to 

20 which the card is connected. A subscriber 

authentication key, Ki , is also stored at the SIM- 
card, as are authentication and A3 and A8 algorithms. 
The A8 algorithm, for instance, is a ciphering key 
generation algorithm. The information stored at the 

25 SIM-card 34 is utilized during operation of an 
embodiment of the present invention. 

The second mobile terminal 14 in such an 
implementation, also includes a SIM-card 36 in 
addition to transceiver circuitry 38. The information 

30 stored at the SIM-card 36 is similar to that stored at 
the SIM-card 34, individualized for the specifics of 
the mobile terminal 14. For instance, the identity, 
IDd, of the mobile terminal 14 is stored at the SIM- 
card 36 rather than the IDb stored at the SIM-card 34. 
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Operation of an embodiment of the present 
invention provides a manner by which to exchange 
security keys between the mobile terminals pursuant to 
IPsec, the security architecture for Internet 
5 protocol, through the use of the information stored at 
the SIM-cards 34 and 36. 

Figures 2A-2B illustrate a message sequence 
diagram, shown generally at 44, illustrating operation 
of an embodiment of the present invention to exchange 
10 security keys between mobile terminals 12 and 14, 
thereby to permit secured data transmission 
therebetween. The message sequence diagram 44 shown 
in Figure 3 is representative of operation of the 
communication system in which both mobile terminals 12 
15 and 14 are operated by the operator a, 26. And, here, 
the mobile terminal 12 is represented by the SIM-card 
b, 34, in which the mobile terminal 12 is utilized by 
a user c. And, the mobile terminal 14 is represented 
by the SIM-card d, 36, and the mobile terminal is 
20 operated by a user e. 

Communications are initiated by the user of the 
mobile terminal 12, as indicated by the block 46. The 
block 48 indicates the items known at the mobile 
terminal 12 at the initiation of the communication 
25 session. In addition to the information mentioned 
previously to be stored at the SIM-card 34, the IP 
address (IPa) of the operator a, 26, the IP address of 
the user c (IPc) , and the IP address of the user of 
the mobile terminal 14 (IPe) are known by the mobile 
30 terminal 12. The block 48 also indicates that a value 
of a pseudo random number, RANDf ill is generated. 

Then, and as indicated by the block 50, SK and 
TID generation is performed to form SKca values at 
both the terminal 12 and at the operator a 26. 
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Additional details relating to SK and TID generation 
shall be described with respect to Figure 5 below. 

A message 55, 
KEYGEN (TIDb, E{RANDf ill , IPc, IPe}SKca, 
5 S { RAND fill, IPc, I Pe } S Kc a } is generated by the mobile 
terminal 12, including the information it generated, 
or otherwise known at the mobile terminal 12 and 
communicated to the operator a, 26. 

Thereafter, and as indicated by the block 58, the 

10 operator a decrypts the encrypted values of IPc and 
IPe provided thereto in the message 55. 

Block 62 indicates items known at the operator a. 
Namely, IDd is the identity of the SIMd 36 of the 
mobile terminal 14 . Such value is known by both the 

15 operator a and also at the SIM-card d, 36. The 

subscriber authentication key Ki stored in the SIM- 
card d 36 is also known by the operator a, as are the 
algorithms A3 and A8 stored at the SIM-card d 36. 
Additionally, the IP addresses of the operator a 

20 (IPa), of the user c (IPc), and of the user e (IPe) 
are also known by the operator a. The value of IPe 
matches that of IDd. 

Then, and as indicated by the block 63, the 
operator a generates a pseudo random number RAND e a of 

25 128 bits. The number is generated at an AUC 

(Authentication Center) associated with the operator, 
as are also "triplets" including values of RAND, SRES, 
and Kc for the requested SIM card, here IDd. 

At the block 64, the operator a 26 generates new 

30 secret keying material, SKea to be used between the 
user e of the mobile terminal 12 and the operator a. 
The operator a concatenates Kc : s to TKea in which TKea 
is executed using a one-way algorithm Aow by which to 
generate SKea. The resultant output, SKea, is used as 
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secret keying material between the user e and the 
operator a. Block 66 indicates that operator a knows 
that the user e of the mobile terminal 14 uses an 
operator a-personalized SIM-card. 
5 As indicated by the message 68 transmitted by the 

operator a 26 to the mobile terminal 14, information 
formed at, or otherwise known by, the operator a, is 
communicated to the mobile terminal 14. Here, the 
message is indicated by 

10 KEYGEN (RANDea , S [RANDea] SKea,E[IPc, IPe] SKea) . 

Block 72 indicates that selection is made by the 
user e of the mobile terminal to accept a secured data 
link with what, to the user e, is a currently-unknown 
user, i.e., user c of the mobile terminal 12. Block 

15 74 indicates that the user e of the mobile terminal 14 
generates new secret keying material, SKea, to be used 
between the user e and operator a. The user e splits 
the RANDea to 128-bit blocks. Each block is executed 
through a SIM A8 algorithm. The output is a 64 -bit 

20 length Kc from each block. Again, alternately, the 
algorithm A3 could instead be utilized to form a 32- 
bit length SRES value. The results are concatenated 
to TKea, and TKea is executed by way of the one-way 
algorithm Aow. The output SKea is used as secret 

25 keying material between the user e and the operator a. 
Block 76 indicates that the user e of the mobile 
terminal 14 decrypts the message indicated by the 
segment 68 to obtain a value of IPc, i.e., the user c 
of the mobile terminal 12. 

30 As the operations indicated by the block 72, 74, 

and 76 are being performed, at the mobile terminal 12, 
and as indicated by the block 78, the user c of the 
mobile terminal 12 selects a value of a Dif f ie-Hellman 
group to be used in a Dif f ie-Hellman exchange. Also, 
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a value of y and g^y are calculated. Then, and as 
indicated by the message 82, such information is 
communicated from the mobile terminal 12 to the 
operator a 26. Such message is indicated by 
5 KEYEX (E {GRP , g A y } SKea ) . 

When the message 82 is detected by the operator 
a, as indicated by the block 84, the operator decrypts 
the message to obtain values of the variable of the 
Dif f ie-Hellman group and a value of g A y. 

10 Then, and as indicated by the message 86, such 

values, together with a value SKea are communicated 
from the operator a 26 to the mobile terminal 14. The 
message is indicated KEYEX (E{GRP, g A y}SKca) . Once 
received at the mobile terminal 14, and as indicated 

15 by the block 88, the user e decrypts the message 86 to 
obtain the values of GRP and g^y. Then, and as 
indicated by the block 92, the user e uses the values 
of GRP to generate x and to calculate the value g A x. 

Thereafter, and as indicated the message 94, such 

20 information is communicated from the mobile terminal 
14 to the operator a 26. The message is indicated by 
KEYEX ( E { GRP , g A x} SKea ) . Received at the operator a, 
and as indicated by the block 96, the operator 
decrypts the message to obtain values of GRP and g A x. 

25 Thereafter, and as indicated by the message 98, such 
information is forwarded from the operator a to the 
mobile terminal 12. 

Once detected thereat, and indicated by the block 
102, the user c of the mobile terminal 12 decrypts the 

30 message to obtain values of GRP and g A x. Then, and as 
indicated by the block 104, the user c generates 
secret keying material from SKce which is equal to 
(g A x) A y which is equal to g A (xy) . Then, as indicated 
by the block 106, the user c encrypts the data to be 
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communicated to the mobile terminal with the key SKce . 
Block 108 indicates that the user e of the mobile 
terminal 14 also generates secret keying material SKce 
in the same manner. 
5 The encrypted data, encrypted with SKce is 

communicated from the mobile terminal 12 to the mobile 
terminal 14, as indicated by the message 112. The 
message 112 is represented by E{ (data) } SKce . When 
detected at the mobile terminal 14, and as indicated 

10 by the block 114, the user e decrypts the encrypted 
data provided thereto with the key SKce. A response 
to be communicated by the mobile terminal 14 to the 
mobile terminal 12 is encrypted, indicated by the 
bl ock 116, with the key SKce. And, the response is 

15 communicated in the form of a message 118 to the 
mobile terminal 12. The message is indicated by 
E{ (response) }SKce. 

Figures 3A-3B illustrate a message sequence 
diagram, shown generally at 112, illustrating 

20 signaling generated during operation of another 

embodiment of the present invention. Here, again, 
keys are exchanged between the first and second mobile 
terminal 12 and 14 to be used to secure data to be 
transmitted between the mobile terminals. In this 

25 implementation, operator a 26 and operator f 28 are 

associated with the respective mobile terminals 12 and 
14 . 

First, and as indicated by the block 124, 
selection is made at the mobile terminal 12 by the 
30 user c thereof to initialize a secured data link with 
the user e of the mobile terminal 14. Block 126 
indicates that the items known at the mobile terminal 
12 include the identification of the SIMb, IDb. Also, 
the subscriber authentication key Ki and the 
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algorithms A3 and A8 , as well as the IP addresses of 
the operator a, the user c, and the user e IPa, IPc, 
and IPe are all known. The block 126 also indicates 
that a value of a pseudo random number RANDf ill is 
5 generated. 

Then, and as indicated by the block 130, SK and 
TID generation is performed to form SKca and TIDb 
values at both the terminal 12 and at the operator a. 
Additional details relating to SK and TID generation 

10 shall be described with respect to Figure 5 below. 

The information generated at, or otherwise known 
to, the mobile terminal 12 is communicated, indicated 
by the message 134, by the mobile terminal to the 
operator a. Here, the message is indicated by 

15 KEYGEN (TIDb, E{ RANDf ill , I Pa , IPc, IPe} SKca, {RANDf ill , IPa , 
IPc, IPe } SKca) . 

Then, and as indicated by the block 138, the 
operator decrypts the encrypted values of IPc and IPe 
contained in the message 134. Then, and as indicated 

20 by the block 142, the operator generates a pseudo 
random number RAND a f which is used to separate 
different parallel key generation, and is an ID to a 
session where keys are used. Then, and as indicated 
by the message 144 communicated by the operator a to 

25 the mobile terminal 14, the value of RAND a f is 
transmitted. The message is represented by 
KEYGEN (RANDaf) . 

As indicated by the block 146, selection is made 
by the user e of the mobile terminal 14 to accept a 

30 secure data link with what, with respect to the user 
e, is a currently-unknown user. Block 148 indicates 
that the items known at the mobile terminal 14 include 
the identification of the SIMd card, IDd. Such value 
is known both by the operator f 28 and the mobile 
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terminal 14. The subscriber authentication key Ki , as 
well as the algorithms A3 and A8 are also known at the 
mobile terminal as are also the IP addresses of the 
operator a, the operator f, and the user e, i.e., IPa, 
5 IPf, and IPe. A pseudo random number RANDef is also 
shown to be generated at the block 148. The RANDf ill 
value is of a length of 128 bits. Then, and as 
indicated by the block 150, SKxy generation is 
performed, here to form values of SKef and TIDd. 
10 Again, additional details regarding such generation 
shall be described with respect to Figure 5. 

Then, and as indicated by the message 156, such 
information generated at, or known by, the mobile 
terminal 14 is communicated therefrom to the operator 
15 f. The message is represented by KEYGEN 
( RAND fill, RANDa f , IPa, IPe) . 

Then, and as indicated by the block 158, the 
operator detects the message 156. 

Thereafter, and as indicated by the block 164, 
20 SKef is sent from the operator f 28 to the operator a 
26. A message 166 is shown to be communicated by the 
operator f to the operator a. The message is 
represented by KEYGEN (RANDaf , SKef , IPa , IPe) . Block 168 
indicates that the RANDaf forms the ID to the 
25 communication session in which the key SKef is used. 
And, the block 172 indicates that the user c of the 
mobile terminal 12 selects a Dif f ie-Hellman group 
variable GRP, generates y, and calculate g^y . Then, 
a message 174 is communicated by the mobile terminal 
30 12 to the operator a 26. The message is represented 
by KEYEX(E{GRP,g A y,IPc,IPe}SKca) . 

Thereafter, and as indicated by the block 176, 
upon detection of the message, the operator a decrypts 
the message to obtain values of IPe, IPe, GRP, and 
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g*y. And, a message 178 is communicated from the 
operator a to the second mobile terminal 14. The 
message is represented by 
KEYEX (E{RANDaf ,GRP,g*y, IPC, IPe}SKef ) . 
5 When the message 178 is detected by the mobile 

terminal 14, and as indicated by the block 182, the 
user e of the mobile terminal decrypts the message 
received thereat to obtain values of RANDaf , IPc, IPe, 
GRP, and g A y. Resultant therefrom, and as indicated 
10 by the block 184, the user e of the mobile terminal 
becomes aware that user c is the other participant to 
the communication session. Then, and as indicated by 
the block 186, the user e generates x and calculates 
g x. 

15 Thereafter, a message 188 is communicated from 

the mobile terminal 14 to the operator a 26. The 
message 188 is represented by KEYEX (E 
{RANDaf , GRP, g A x, IPc, IPe}SKef) . When detected at the 
operator a, and as indicated by the block 192, the 

20 operator a decrypts the message to obtain values of 

RANDaf, IPc, IPe, GRP, and g A x. A message 194 is then 
communicated from the operator a to the first mobile 
terminal 12 . The message is represented by 
KEYEX ( E { RANDa f , GRP , g "x , I Pc , I Pe } SKca ) . 

25 When the message 194 is detected at the first 

mobile terminal, and as indicated by the block 196, 
the user c of the mobile terminal decrypts the message 
to obtain values of RANDaf, IPc, IPe, GRP, AND g A x. 
Thereafter, and as indicated by the blocks 198 and 

30 202, respectively, the user c generates secret keying 
material, SKce, by (g A x) A y = g A (xy) and encrypts data 
with the key SKce. And, as indicated by the block 
204, the user e of the mobile terminal 14 also 
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generates secret keying material SKce by (g A y) *x = 
g A (xy) . 

Thereafter, an encrypted data message 206 is 
communicated from the mobile terminal 12 to the mobile 
5 terminal 14. The message is represented by 

E{ (data) } SKce . When detected at the mobile terminal 
14, and as indicated by the block 208, the user e of 
the mobile terminal 14 decrypts the encrypted data 
received thereat with the key SKce. A response by the 
10 mobile terminal 14 is generated, here represented by 
the block 212, and encrypted with the key SKce. A 
message 214 is returned by the mobile terminal 14 to 
the mobile terminal 12. The message is represented by 
E{ (response) }SKce . Then, and as indicated by the 
15 block 216, the user c of the mobile terminal 12 

decrypts the encrypted response received thereat with 
the key SKce. Thereby, secured transmission of data 
between the mobile terminals 12 and 14 is effectuated. 
Figures 4A-4B illustrate a sequence diagram, 
20 shown generally at 222, also representative of 

operation of an embodiment of the present invention. 
The sequence diagram 222, analogous to the message 
sequence diagram 122 shown in Figure 3, represents 
operation of an embodiment of the present invention in 
25 which operator a 26 is associated with the first 

mobile terminal 12 and the operator f 28 is associated 
with the second mobile terminal 14. The operation is 
performed at various elements noted in the sequence 
diagram, and messages communicated between such 
30 elements correspond with like-numbered operations and 
messages shown in, and described with respect to, 
Figure 3. Namely, operations 124-130 performed at the 
mobile terminal 12, the message 134 communicated from 
the mobile terminal 12 to the operator a 26, 
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operations 138-142 performed at the operator a, the 
message 144 communicated by the operator a to the 
second mobile terminal 14, operations 146-150 
performed at the mobile terminal 14, the message 156 
5 communicated by the mobile terminal 14 to the operator 
f 28, and the operations 158 and 164 performed at the 
operator f correspond with such operations and 
messages described with respect to the sequence 
diagram 122 shown in Figure 3. Such operation shall 
10 not again be described. In the implementation 

represented by the sequence diagram 222, a message 228 
is communicated by the first mobile terminal 12 to the 
operator a. The message is represented by 
KEYEX(E{GRP,g A y, IPC, IPe}SKca) . 
15 When the message 228 is detected at the operator 

a, and as indicated by the block 232, the operator a 
decrypts the received message to obtain values of IPc, 
IPe, GRP, and g A y. The RAND a f becomes the ID to the 
communication session in which the key SKef is 
20 utilized. Then, a message 234 is communicated by the 
operator a to the operator f 28. The message 234 is 
represented by KEYEX (RANDaf , GRP, g A y, IPc, IPe) . Then, a 
message 23 6 is communicated by the operator f to the 
second mobile terminal 14. The message 236 is 
represented by KEYEX (E{GRP, g A y, IPc, IPe}SKef) . 

When received at the second mobile terminal, and 
as indicated by the block 238, the user e decrypts the 
message to obtain values of IPc, IPe, GRP, and g A y. 
Then, and as indicated by the block 242, as a result, 
the user e obtains knowledge that the user c is the 
other participant of the communication session. Then, 
and as indicated by the block 244, the user e of the 
mobile terminal 14 generates x and calculates g A x. 
Then, a message 246 is communicated by the second 
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mobile terminal operator f. The message is 
represented by KEYEX (E {GRP, g A x, IPc , IPe } SKef ) . 

When the message 246 is detected at the operator 
f, and as indicated by the block. 248, the operator 
5 decrypts the message to obtain values of IPc, IPe, 

GRP , and g A x. Then, a message 252 is communicated by 
the operator f to the operator a. The message is upon 
any secured link and is represented by 
KEYEX (RANDaf , GRP, g A x, IPc, IPe) . 

10 Thereafter, a message 254 is communicated by the 

operator a to the first mobile terminal 12. The 
message is represented by KEYEX 
(E{GRP,g A x, IPc, IPe}SKca) . 

When detected at the mobile terminal 12, the user 

15 c thereof decrypts the received message to obtain 

values of IPc, IPe, GRP, and g A x. Then, indicated by 
the blocks 258 and 262, the user c generates secret 
keying material, SKce, by (g A x) A y = g A (xy) , and the 
data to be communicated by the mobile terminal 12 is 

20 encrypted with the key SKce. And, as indicated by 
the block 264, the user e of the second mobile 
terminal 14 generates secret keying material, SKce, by 
(g A y) A x = g A (xy) . 

Thereafter, a message 266 is communicated by the 

25 mobile terminal 12 to the mobile terminal 14. The 
message 266 is encrypted data and is represented by 
E{ (data) }SKce. When detected at the second mobile 
terminal 14, the user e thereof decrypts the encrypted 
data with the key SKce, indicated by the block 268. A 

30 response message generated at the second mobile 

terminal is encrypted, as indicated by the block 272, 
with the key SKce. The response message 274 is 
communicated by the mobile terminal 14 to the mobile 
terminal 12. The message is represented by 
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E{ (response) }SKce . When detected at the first mobile 
terminal 12, and as indicated by the block 276, the 
user c decrypts the encrypted response with the key 
SKce. Thereby, secured data communications are 
5 effectuated between the first and second mobile 
stations 12 and 14. 

Figure 5 illustrates a message sequence diagram, 
shown generally at 302, which illustrates in greater 
detail the manner by which values of SK and TID are 
10 generated during operation of an embodiment of the 
present invention. The sequence 3 02 corresponds to 
the sequence steps 50 and 130 shown in Figures 2-4 
and, by analogy, also step 150 shown in Figures 3-4. 
As indicated by step 304, the user c of the 
15 mobile station 12 elects to initiate a secure data 
link with the user e of the mobile station 14. 

Block 306 indicates that values of IDb, Ki, the 
IP addresses of the operator a, and users c and e, 
IPa, Ipc, and IPe, respectively, are known, as are the 
20 algorithms A3 and A8 . And, block 306 also indicates 
that a temporary value of TIDb is generated at the 
mobile station 12. 

Block 308 indicates that, at the operator a 26, 
values of IDd and Ki in the SIM d as well as values of 
25 the algorithms A3 and A8 are known. 

Then, as indicated by the segment 312, a message 
KEYREQ (IDb, TIDb) is sent by the mobile station 12 to 
the operator a. 

Block 314 indicates that, once the message is 
30 detected at the operator a, the value of TIDb is saved 
and a value of RANDca is calculated, here at an AUC 
(Authentication Center), along with, e.g., values of 
SRES and Kc . Then, as indi cated by the block 316, a 
new key, SKca, to be used between the user c of the 
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mobile station 12 and the operator 26 is generated. 
The key is concatenated to TKca, which is executed by 
way of a one-way algorithm, to generate an output 
value of SKca. The output value of SKca is used as 
5 secret keying material. 

Then, and as indicated by the segment 318, a 
message, KEYRAND (RANDca , TIDb, S{RANDca, TIDb} SKca) , is 
sent by the operator a 26 to the mobile station 12. 
When the message is detected at the mobile 

10 station, the detected value of TIDb is compared with 
the value formed thereat, as indicated by the block 
322. The values should match. Finally, and as 
indicated by the block 324, the user c generates a 
value of SKca, and splits the RANDca value into 128 

15 bit blocks in which each block is executed by an A8 , 
or A3, algorithm. The results are concatenated to 
TKca which is executed by way of the one-way 
algorithm. Thereafter, the output value of SKca, 
formed therefrom, is used as secret keying material. 

20 The preferred descriptions are of preferred 

examples for implementing the invention, and the scope 
of the invention should not necessarily be limited by 
this description. The scope of the present invention 
is defined by the following claims: 



25 



WO 01/69838 



PCT/IB01/00346 



24 

We claim: 

1. In a method for communicating in a 
communication system having at least a first 
communication system portion operated by a first 
operator coupled to network infrastructure of the 
5 communication system, and the communication system 

having a first communication station operable at least 
to communicate packet data and a second communication 
station, also operable at least to communicate packet 
data, an improvement of a method for generating 
10 security keys for use to secure the packet data 

communicated between the first communication station 
and the second communication station, said method 
comprising: 

generating a first ciphering key at the 
15 first communication station; 

forwarding the first ciphering key to 
the network infrastructure together with indicia 
identifying the second communication station; 

routing a message to the second 
20 communication station; and 

generating secret keying material to be 
exchanged between the first communication station and 
the second communication station. 

2. The method of claim 1 wherein the first 
25 communication station comprises a first mobile 

terminal operable in a cellular communication system, 
the first mobile terminal having a storage element for 
storing first -communication-system related information 
thereat, the first-communication-system, related 
30 information used during said operation of generating 
the first ciphering key to generate the first 
ciphering key. 
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3 . The method of claim 2 wherein the 
communication system comprises a GSM (Global System 
for Mobile communications) cellular communication 
system, wherein the first mobile terminal comprises a 
5 GSM-compatible mobile terminal the storage element 

thereof forming a SIM (Subscriber Identity Module) and 
wherein the first ciphering key generated during said 
operation of generating the first ciphering key is 
generated utilizing SIM- information stored at the SIM. 

10 4. The method of claim 3 wherein the first 

ciphering key forwarded to the network infrastructure 
during said operation of forwarding the first 
ciphering key is forwarded to the first operator. 

5. The method of claim 4 further comprising the 
15 operation, prior to said operation of routing, of 

generating a second ciphering key at the first 
operator . 

6. The method of claim 5 wherein said operation 
of routing the message to the second communication 

20 station comprises routing the second ciphering key 
generated at the first operator to the second 
communication station together with indicia 
identifying the first communication station. 

7. The method of claim 6 wherein the first 
25 operator operates at least a portion of the GSM 

cellular communication system of which the 
communication system is formed and the second 
ciphering key generated by the first operator is 
generated utilizing SIM-type information. 

8. The method of claim 7 wherein the second 
communication station to which the second ciphering 
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operable in the GSM cellular communication system. 

9. The method of claim 7 wherein the secret 
keying material generated during said operation of 

5 generating the secret keying material is utilized to 
transmit secured data between the first mobile 
terminal and the second mobile terminal. 

10. The method of claim 4 wherein the message 
routed during said operation of routing comprises a 

10 nonencrypted message utilizing SIM-type information. 

11. The method of claim 10 comprising the 
additional operation, subsequent to said operation of 
routing, of generating a second ciphering key at the 
second mobile terminal. 

15 12. The method of claim 11 wherein the 

communication system further has a second 
communication system portion operated by a second 
operator coupled to the network infrastructure of the 
communication system, said method further comprising 

20 the additional operation of forwarding the second 
ciphering key to the second operator. 

13 . The method of claim 12 comprising the 
additional operation of forwarding the seconding 
ciphering key to the first operator. 

25 14. The method of claim 13 further comprising 

the additional operation of forwarding a message from 
the first operator to the second mobile terminal, the 
message including indicia identifying the first mobile 
terminal . 



30 15. The method of claim 14 further comprising 

the additional operation of generating a third 
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ciphering key, the third ciphering key utilized during 
said operation of generating the secret material to 
generate the secret keying material. 

16. In a method for communicating in a 
5 communication system having at least a first 

communication system portion and by a first operator 
coupled to network infrastructure of the communication 
system, and the communication system having a first 
communication station operable at least to communicate 
10 packet data and a second communication station, also 
operable at least to communicate packet data, an 
improvement of a method generating security keys for 
use to secure the packet data communicated between the 
first communication station and the second 
15 communication station, said method comprising: 

generating a first ciphering key at the 
first communication station; 

forwarding the first ciphering key to 
the first network infrastructure together with indicia 
identifying the second communication station; 

generating a second ciphering key at the 
network infrastructure ; 

forwarding the second ciphering key to 
the second communication station together with indicia 
identifying the first communication station; and 

utilizing the second ciphering key to 
generate secret keying material to be exchanged 
between the first communication station and the second 
communication station . 

17. In a communication system having at least a 
first communication system portion operated by a first 
operator coupled to network infrastructure of the 
communication system, and the communication system 
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having a first communication station operable at least 
to communicate packet data and a second communication 
station, also operable at least to communicate packet 
data, an improvement of an assembly for generating 
5 security keys for use to secure the packet data 

communicated between the first communication station 
and the second communication station, said assembly 
comprising : 

a first ciphering key generator located 
10 at the first communication station, said first 
ciphering key generator for generating a first 
ciphering key at the first communication station; 

transmitter circuitry coupled to said 
first ciphering key generator, said transmitter 
15 circuitry for forwarding the first ciphering key to 
the network infrastructure together with indicia 
identifying the second communication station; 

a router positioned at the network 
infrastructure, said router routing a message to the 
20 second communication station; and 

a secret keying material generator 
located at both the first communication station and 
the second communication station, said secret material 
generator for generating secret keying material to be 
25 exchanged between the first communication station and 
the second communication station. 

18. The assembly of claim 17 wherein the 
communication system comprises a GSM (Global System 
for Mobile communications) cellular communication 
30 system and wherein the first ciphering key generated 
by said first ciphering key generator utilizes SIM- 
type information. 
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19. The assembly of claim 18 wherein said router 
is located at the first operator. 

20. The assembly of claim 19 further 
comprising a second ciphering key generator located at 
5 the first operator, said second ciphering key 
generator for generating a second ciphering key. 
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